feat: allow --experimental-inspector-network-resource node flag

[parthtaneja0001]

Fixes #49500

Description of Change

This PR adds --experimental-inspector-network-resource to Electron’s
Node.js CLI allowlist so it can be passed through to Node.

This enables remote source map resolution in Chrome DevTools for
main and utility processes when using the Node.js inspector.

Checklist

• PR description included
• I have built and tested this PR
• npm test passes
• tests are changed or added
• relevant API documentation, tutorials, and examples are updated
• PR release notes describe the change

Release Notes

Notes: Allowed the --experimental-inspector-network-resource Node.js flag to be passed through Electron.

[welcome]

💖 Thanks for opening this pull request! 💖

Semantic PR titles

We use semantic commit messages to streamline the release process. Before your pull request can be merged, you should update your pull request title to start with a semantic prefix.

Examples of commit messages with semantic prefixes:

• fix: don't overwrite prevent_default if default wasn't prevented
• feat: add app.isPackaged() method
• docs: app.isDefaultProtocolClient is now available on Linux

Commit signing

This repo enforces commit signatures for all incoming PRs.
To sign your commits, see GitHub's documentation on Telling Git about your signing key.

PR tips

Things that will help get your PR across the finish line:

• Follow the JavaScript, C++, and Python coding style.
• Run npm run lint locally to catch formatting errors earlier.
• Document any user-facing changes you've made following the documentation styleguide.
• Include tests when adding/changing behavior.
• Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

[parthtaneja0001]

@electron-cation please add semver/minor

[codebytere]

This also needs to be documented - see https://github.com/electron/electron/blob/5ddd8a020035970094df86efe8c266b3cca011ab/docs/api/command-line-switches.md

[parthtaneja0001]

This also needs to be documented - see https://github.com/electron/electron/blob/5ddd8a020035970094df86efe8c266b3cca011ab/docs/api/command-line-switches.md

Done. Please review once if the documentation looks fine.

[erickzhao]

API LGTM

[itsananderson]

API LGTM

[jkleinsc]

API LGTM

[jkleinsc]

@parthtaneja0001 can you rebase this PR with the latest from main? That should get CI building.

[parthtaneja0001]

@parthtaneja0001 can you rebase this PR with the latest from main? That should get CI building.

Rebased onto the latest main and resolved conflicts.Waiting for CI to run.

[nikwen]

I triggered CI.

Requesting changes to make sure this doesn't get merged before @electron/wg-security takes a look. (Please dismiss my review once that has happened.)

[codebytere]

LGTM from a security perspective. The flag operates within the already-privileged inspector context (where arbitrary code execution is already possible), so the risk is imo low.

One suggestion: docs should note that enabling this flag allows the inspector to make outbound network requests to resolve source maps.

Note: When enabled, the Node.js inspector will make network requests to URLs specified in source maps. Be mindful of this in environments where the process has access to internal networks.

[parthtaneja0001]

updated the docs with the security note

[parthtaneja0001]

@nikwen is there any other review left?

wg-security took a look

[nikwen]

I've dismissed my review. @codebytere is still in "request changes" mode.

[parthtaneja0001]

rebased to latest main to get the CI building

[ckerr]

@codebytere do you still have changes requested?

Concerns have been addressed.

[welcome]

Congrats on merging your first pull request! 🎉🎉🎉

[release-clerk]

Release Notes Persisted

Allowed the --experimental-inspector-network-resource Node.js flag to be passed through Electron.

[trop]

I have automatically backported this PR to "41-x-y", please check out #51377

[trop]

I have automatically backported this PR to "42-x-y", please check out #51378